The present invention relates to security in an application-level virtual machine environment, and in particular, to improving security using controlled bridges.
Unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
Programming languages may be broadly categorized into two types: dynamic programming languages and non-dynamic programming languages. A non-dynamic language may be thought of as a programming language where the binding between method (or procedure) calls to the implementing methods happens at compile time. A dynamic language may be thought of as a programming language where the binding happens at runtime and usually can be overwritten in the program at any time. In non-dynamic languages, the method calls may be calls to procedures, which are assigned to classes. In dynamic languages, a method call may be a message to be sent to an instance of a class, and it is the task of the class to decide what to do with the message.
More specifically, the term “dynamic programming language” describes a class of high level programming languages that execute at runtime many common behaviors that other languages might perform during compilation, if at all. These behaviors could include extension of the program, by adding new code, by extending objects and definitions, or by modifying the type system, all during program execution. These behaviors can be emulated in nearly any language of sufficient complexity, but dynamic languages provide direct tools to make use of them. The term “non-dynamic programming language” describes languages that lack these behaviors. (Non-dynamic programming languages may also be referred to as “static programming languages” or “robust programming languages”.)
Dynamic programming languages have a number of benefits, either actual or perceived. They are flexible, for example, by allowing dynamic typing of variables, and giving the ability to change code and logical structures at runtime. Many dynamic languages are open source languages. Dynamic languages allow for high productivity, for example, being easy to learn and having a straightforward syntax. Dynamic languages often allow for easier integration, for example in environments such as mashups or other web services.
An example of a dynamic language is Ruby. Ruby is a reflective, dynamic, object oriented programming language. It combines syntax inspired by Perl with Smalltalk-like object oriented features, and also shares some features with Python, Lisp, Dylan, and CLU. Ruby is a single pass interpreted language.
However, dynamic languages have a number of drawbacks in certain computing environments. For example, the ability to change the program code during program execution is generally a strength, but is a drawback in the business applications environment. For business applications, it is generally undesirable for the programs of one user to affect the programs or data of another user. Business applications must be generally “robust”, where programs from different users are kept isolated, limiting the potential to create damage to other users' programs, to the server, or to the underlying business data.
Such problems are not solved by implementing dynamic languages in the Java® language, for example, because the Java® language has no thread level isolation. For further details, see for example Almut Herzog and Nahid Shahmehri, “Problems Running Untrusted Services as Java Threads”, CSES 2004 2nd International Workshop on Certification and Security in Inter-Organizational E-Services (2004).
Furthermore, if there is interaction between a dynamic programming environment and a non-dynamic programming environment, there arises the possibility of compromised security via the interaction.
Thus, there is a need for improved security in dynamic programming environments. The present invention solves these and other problems by providing security solutions for bridges between a dynamic programming environment and a robust programming environment.